"A high-severity MongoDB Server vulnerability, for which proofs of concept emerged over Christmas week, is now under active exploitation, according to the US Cybersecurity and Infrastructure Security Agency. It wouldn't be the holiday break without a potentially devastating security vulnerability popping up to crash the PTO party, and this one definitely fits the bill, with one expert calling it "basically Heartbleed for MongoDB." Yeah, it's that serious."
"Dubbed MongoBleed by the Elastic Security researcher who published a proof of concept on December 26, the vulnerability was actually identified back on December 15 and patched by the MongoDB crew shortly thereafter. It affects a wide range of MongoDB Server versions, with MongoDB urging affected users to upgrade to fixed releases immediately. "If you cannot upgrade immediately, disable zlib compression on the MongoDB Server," the MongoDB maker urged."
CVE-2025-14847 is a CVSS 8.7 vulnerability in MongoDB Server caused by mismatched length fields in zlib-compressed protocol headers. A malformed packet can allow an unauthenticated remote attacker to read uninitialized heap memory, potentially exposing user data, passwords, API keys, and other sensitive material. Proofs of concept emerged over Christmas week and active exploitation has been reported by CISA. The flaw affects many MongoDB Server versions; vendors patched the issue after discovery and urged immediate upgrades. If upgrades are not possible, disabling zlib compression on the server mitigates the exposure. Internet-exposed and laterally reachable private servers are at risk.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]